Bug 48591
| Summary: | libvncserver: Multiple issues (4.3) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Quality Assurance <qa> |
| Component: | Security updates | Assignee: | Quality Assurance <qa> |
| Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
| Severity: | normal | ||
| Priority: | P3 | ||
| Version: | UCS 4.3 | ||
| Target Milestone: | UCS 4.3-3-errata | ||
| Hardware: | All | ||
| OS: | Linux | ||
| What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) | ||
|
Description
Quality Assurance
--- mirror/ftp/4.3/unmaintained/4.3-2/source/libvncserver_0.9.11+dfsg-1+deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/libvncserver_0.9.11+dfsg-1.3~deb9u1.dsc @@ -1,4 +1,51 @@ -0.9.11+dfsg-1+deb9u1 [Tue, 05 Jun 2018 14:43:47 +0200] Markus Koschany <apo@debian.org>: +0.9.11+dfsg-1.3~deb9u1 [Sat, 02 Feb 2019 22:41:23 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Rebuild for stretch-security. + +0.9.11+dfsg-1.3 [Wed, 30 Jan 2019 22:39:15 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. + * LibVNCClient: ignore server-sent cut text longer than 1MB (CVE-2018-20748) + (Closes: #920941) + * LibVNCClient: ignore server-sent reason strings longer than 1MB + (CVE-2018-20748) (Closes: #920941) + * LibVNCClient: fail on server-sent desktop name lengths longer than 1MB + (CVE-2018-20748) (Closes: #920941) + * LibVNCClient: remove now-useless cast (CVE-2018-20748) (Closes: #920941) + * Error out in rfbProcessFileTransferReadBuffer if length can not be + allocated (CVE-2018-20749) (Closes: #920941) + * Limit lenght to INT_MAX bytes in rfbProcessFileTransferReadBuffer() + (CVE-2018-20750) (Closes: #920941) + +0.9.11+dfsg-1.2 [Wed, 02 Jan 2019 16:26:53 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload. + * Fix multiple security vulnerabilities (Closes: #916941) + - Use-after-free in file transfer extension allows for potential + code execution (CVE-2018-15126) + - Heap out-of-bounds write in + rfbserver.c:rfbProcessFileTransferReadBuffer() allows for + potential code execution (CVE-2018-15127) + - Multiple heap out-of-bound writes in VNC client code + (CVE-2018-20019) + - Heap out-of-bound write inside structure in VNC client code allows + for potential code execution (CVE-2018-20020) + - Infinite loop in VNC client code allows for denial of service + (CVE-2018-20021) + - Improper initialization in VNC client code allows for information + disclosure (CVE-2018-20022) + - Improper initialization in VNC Repeater client code allows for + information disclosure (CVE-2018-20023) + - NULL pointer dereference in VNC client code allows for denial of + service (CVE-2018-20024) + - Use-after-free in file transfer extension server code allows for + potential code execution (CVE-2018-6307) + * Update symbols file for libvncserver1. + The fix for CVE-2018-15126 removes CloseUndoneFileTransfer and + introduces new CloseUndoneFileDownload and CloseUndoneFileUpload. + +0.9.11+dfsg-1.1 [Tue, 05 Jun 2018 14:43:47 +0200] Markus Koschany <apo@debian.org>: * Non-maintainer upload. * Fix CVE-2018-7225: Uninitialized and potentially sensitive data could be <http://10.200.17.11/4.3-3/#413696957010537505> OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] 3e086c5f57 Bug #48591: libvncserver 0.9.11+dfsg-1.3~deb9u1 doc/errata/staging/libvncserver.yaml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) |